malwarewikiaorg-20200223-history
STOP
STOP is a ransomware that runs on Microsoft Windows. The ransomware first made its appearance in December 2017. The malware uses the Crypto++ implementation and encrypts user data with AES-256 (or Salsa20 in later variants) and add a certain file extension. New versions are created almost every month and at the moment, the virus is appending the following extensions: .SAVEfiles, .puma, .pumas, .pumax, .shadow, .keypass, and many other extensions. It is also worth mentioning that one of the most notorious variants is KeyPass ransomware and DjVu ransomware that made headlines when they targeted victims from over 20 countries. At the moment, DjVu is the most active version of STOP ransomware that has been demanding a ransom of $300 – $600 for data decryptor. STOP is the 56% of the ID ransomware total retrieval quote, with more and more extensions coming. STOP's ransom note names are: _openme.txt, !readme.txt, or more lately _readme.txt. STOP also urges users to contact their support via restoredjvu@firemail.cc, stopfilesrestore@bitmessage.ch, helpshadow@india.com or similar email addresses. Payload Transmission STOP ransomware is distributed through shady sites and adware bundles. These sites promote fake software cracks or free programs, which are really adware bundles that install a variety of unwanted software and malware onto a user's computer. One of the programs installed via these bundles is the STOP ransomware. Some of the reported cracks that are have been seen installing STOP include KMSPico, Cubase, Photoshop, and antivirus software. Infected attachments are also a vector, especially for DjVu. Behavior The original and first version of malware adds .STOP file extension to make files inaccessible on the affected Windows computer. As soon as STOP ransomware finishes the encryption procedure, the virus delivers a ransom note for example: “!!! YourDataRestore !!! txt” file, on the root of the disk. STOP is mostly obfuscated, with layers of UPX and other packers, to protect itself; STOP has also layers of junk code, especially functions that exit, in various ways from ExitProcess to CorExitProcess. When STOP is run, it will ask for Administrator privileges. STOP splits it's behavior in two parts; the part that contacts the C&C and the part that encrypts files, given a ID and a Base64 Salsa20 256-bit key; these two parts are separated by the given command line, as well as the folder where it's run and privileges. STOP will first check for certain countries, to not execute in them Russia \ CIS countries. STOP, after, will run the main part of itself in a shellcode. When STOP starts without a command line, it will check if has Administrator privileges; if not, it will copy itself in AppData Local with the exact file name as it was run, and run itself after, asking for privileges. If the user grants the privileges, STOP runs with the arguments --Admin --IsNotTask --IsNotStart; these mean that STOP is running as Administrator, is not injected in any process to act as watchdog, and it's not set to start again using the Registry. STOP will first create two folders in AppData Local, two random GUIDs, hashed from the System itself. STOP after will try to contact a given C&C, and download a couple of executable files, mostly related to Azorult; the ransomware will get an ID and a Salsa20 key out of the server; it will then create a folder on the base of the disk, SystemID, and create there a file, with the ID itself SystemID.txt. After, it re-runs itself with the Salsa20 Base64 string and the given ID as arguments PATH --ForNetRes ID KEY, it starts it's own encryption routine. STOP may inject itself as watchdog into processes and run as process into the context of them svchost.exe, for example; some, like .coot, inject themeselves into taskeng.exe; and give to the injected process the argument --Task, and the --Service PID, that gives to the process another process to protect and run again if terminated. The encryption routine and argument parsing happens for every drive, for example, network based drives and removable drive. If the server is offline, or, if the PC is unable to connect to the internet, STOP will use an hardcoded ID that usually ends with t2 and key, and will skip the downloading part. The ransomware doesn't use RSA. The ransomware will use Salsa20, and it will use a custom implementation of cryptography. The ransomware uses the CFB mode, and encrypts every file regardless of it's extension; it will also encrypt only the first 5 MB of the file. It will skip some folders, such as C:\Windows; the drives are hardcoded into the paths to avoid. Some variants of STOP skip the Desktop folder, to not get noticed .doples, for example. The IV Initialization Vector will not be randomized for every file, causing the encryption to be much weaker. After encryption, the malware will create a ransom note for every drive, as reported before. The ransomware then deletes the Shadow Copies. Removal A decryptor for the STOP Ransomware has been released by Emsisoft and Michael Gillespie that allows the user to decrypt files encrypted by 148'' variants of the infection for free. The STOPdecryptor does not decrypt variants that were released after August 2019 due to the encryption being changed. Variants * Suspended: This variant was discovered in February 2018. It locks files with a .SUSPENDED file extension. Suspended provides recovery instructions in ”!!RestoreProcess!!!.txt file and asks to send unique victim's ID and preferred sample files for the decryption to suspendedfiles@bitmessage.ch or suspendedfiles@india.com email addresses. The size of the ransom and deadline remain the same. * Contactus: This variant was discovered in May 2018. It uses .CONTACTUS file extension to lock files. Not only the appended suffix was changed. Crooks also renamed data recovery instructions, and now the document where all recovery options are provided is called !!!RESTORE_FILES!!!.txt. The contact email addresses were changed to decryption@bitmessage.ch and decryption@india.com: All your important files were encrypted on this PC. All files with .CONTACTUS extension are encrypted. Encryption was produced using unique private key RSA-1024 generated for this computer. To decrypt your files, you need to obtain private key + decrypt software. To retrieve the private key and decrypt software, you need to CONTACTUS us by email decryption@bitmessage.ch send us an email your !!!RESTORE_FILES!!!.txt file and wait for further instructions. For you to be sure, that we can decrypt your files – you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE. Price for decryption $600 if you contact us first 72 hours. Your personal id: 40 characters E-mail address to contact us: decryption@bitmessage.ch Reserve e-mail address to contact us: decryption@india.com * SaveFiles: This variant was discovered in September 2018. It creates a ransom note called ''!!!SAVE_FILES_INFO!!!.txt on every folder that contains encrypted data. It doesn't use RSA. The ransom note contains the following text: WARNING! Your files, photos, documents, databases and other important files are encrypted and have the extension: .SAVEfiles The only method of recovering files is to purchase an decrypt software and unique private key. After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data. Only we can give you this key and only we can recover your files. You need to contact us by e-mail BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBKo4h@bitmessage.ch send us your personal ID and wait for further instructions. For you to be sure, that we can decrypt your files – you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE. Price for decryption $500. This price avaliable if you contact us first 72 hours. E-mail address to contact us: BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBKo4h@bitmessage.ch Reserve e-mail address to contact us: savefiles@india.com Your personal id: * Puma: This variant is a decryptable virus, due to the use of XOR over the use of a better encryption algorithm. However, only files having the .puma, .pumas, and .pumax appendixes can be decrypted by using a special decrypter. The victim is given 72 hours to contact the malware authors. * Shadow: This variant was discovered in December of 2018. It uses .shadow file extension to lock files. This file extension was firstly used by BTCWare ransomware virus back in 2017 and now STOP malware authors adopted it as well. Shadow drops a ransom note, !readme.txt that explains how to proceed with the payment in BitCoin. Ransomware authors offer to decrypt one file for free, to prove that the decryptor is actually working. The contact emails helpshadow@india.com or helpshadow@firemail.cc are given as contact informations by the ransomware authors. The ransomware ransom note refers to a discount, a 50% discount on the ransom price that is only valid within the first 72 hours of the infection. * Djvu: This variant is currently the newest variant. It has been appending several extensions: .djvu, .djvus, .djvuu, .udjvu, .uudjvu, .djvuq, .djvur. The virus has already affected thousands of users worldwide by using the most popular scheme used by ransomware to sneak into the target system – spam. Victims typically receive an email which is offering to know more about more about their parcel, invoice, report or delivery. However, downloading the attachment means letting the virus into the system. * KeyPass: This variant is a particular variant of STOP. It is meant to be used into targeted attacks. It uses Crypto++ AES-256 implementation, and it's a C++ 2 MB MFC Visual Studio application. When a certain key is pressed, F8, is meant to show a dialog, that will permit to the malware attacker to change ransom note, ID, key and many more details, to use in manual attacks. Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Microsoft Windows Category:Trojan Category:Win32 trojan Category:Virus Category:Win32 virus